swaf/dist/components/CsrfProtectionComponent.js

57 lines
7.1 KiB
JavaScript
Raw Normal View History

2020-04-22 15:52:17 +02:00
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
import ApplicationComponent from "../ApplicationComponent";
import crypto from "crypto";
import { BadRequestError } from "../HttpError";
export default class CsrfProtectionComponent extends ApplicationComponent {
start(app, router) {
return __awaiter(this, void 0, void 0, function* () {
router.use((req, res, next) => {
if (!req.session) {
throw new Error('Session is unavailable.');
}
res.locals.getCSRFToken = () => {
if (typeof req.session.csrf !== 'string') {
req.session.csrf = crypto.randomBytes(64).toString('base64');
}
return req.session.csrf;
};
if (!['GET', 'HEAD', 'OPTIONS'].find(s => s === req.method)) {
if (req.session.csrf === undefined) {
throw new InvalidCsrfTokenError(req.baseUrl, `You weren't assigned any CSRF token.`);
}
else if (req.body.csrf === undefined) {
throw new InvalidCsrfTokenError(req.baseUrl, `You didn't provide any CSRF token.`);
}
else if (req.session.csrf !== req.body.csrf) {
throw new InvalidCsrfTokenError(req.baseUrl, `Tokens don't match.`);
}
}
next();
});
});
}
stop() {
return __awaiter(this, void 0, void 0, function* () {
});
}
}
class InvalidCsrfTokenError extends BadRequestError {
constructor(url, details, cause) {
super(`Invalid CSRF token`, `${details} We can't process this request. Please try again.`, url, cause);
}
get name() {
return 'Invalid CSRF Token';
}
get errorCode() {
return 401;
}
}
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ3NyZlByb3RlY3Rpb25Db21wb25lbnQuanMiLCJzb3VyY2VSb290IjoiLi8iLCJzb3VyY2VzIjpbImNvbXBvbmVudHMvQ3NyZlByb3RlY3Rpb25Db21wb25lbnQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7O0FBQUEsT0FBTyxvQkFBb0IsTUFBTSx5QkFBeUIsQ0FBQztBQUUzRCxPQUFPLE1BQU0sTUFBTSxRQUFRLENBQUM7QUFDNUIsT0FBTyxFQUFDLGVBQWUsRUFBQyxNQUFNLGNBQWMsQ0FBQztBQUU3QyxNQUFNLENBQUMsT0FBTyxPQUFPLHVCQUF3QixTQUFRLG9CQUEwQjtJQUM5RCxLQUFLLENBQUMsR0FBWSxFQUFFLE1BQWM7O1lBQzNDLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLElBQUksRUFBRSxFQUFFO2dCQUMxQixJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRTtvQkFDZCxNQUFNLElBQUksS0FBSyxDQUFDLHlCQUF5QixDQUFDLENBQUM7aUJBQzlDO2dCQUVELEdBQUcsQ0FBQyxNQUFNLENBQUMsWUFBWSxHQUFHLEdBQUcsRUFBRTtvQkFDM0IsSUFBSSxPQUFPLEdBQUcsQ0FBQyxPQUFRLENBQUMsSUFBSSxLQUFLLFFBQVEsRUFBRTt3QkFDdkMsR0FBRyxDQUFDLE9BQVEsQ0FBQyxJQUFJLEdBQUcsTUFBTSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUMsQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUM7cUJBQ2pFO29CQUNELE9BQU8sR0FBRyxDQUFDLE9BQVEsQ0FBQyxJQUFJLENBQUM7Z0JBQzdCLENBQUMsQ0FBQztnQkFFRixJQUFJLENBQUMsQ0FBQyxLQUFLLEVBQUUsTUFBTSxFQUFFLFNBQVMsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsS0FBSyxHQUFHLENBQUMsTUFBTSxDQUFDLEVBQUU7b0JBQ3pELElBQUksR0FBRyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEtBQUssU0FBUyxFQUFFO3dCQUNoQyxNQUFNLElBQUkscUJBQXFCLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxzQ0FBc0MsQ0FBQyxDQUFDO3FCQUN4Rjt5QkFBTSxJQUFJLEdBQUcsQ0FBQyxJQUFJLENBQUMsSUFBSSxLQUFLLFNBQVMsRUFBRTt3QkFDcEMsTUFBTSxJQUFJLHFCQUFxQixDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsb0NBQW9DLENBQUMsQ0FBQztxQkFDdEY7eUJBQU0sSUFBSSxHQUFHLENBQUMsT0FBTyxDQUFDLElBQUksS0FBSyxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRTt3QkFDM0MsTUFBTSxJQUFJLHFCQUFxQixDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUscUJBQXFCLENBQUMsQ0FBQztxQkFDdkU7aUJBQ0o7Z0JBQ0QsSUFBSSxFQUFFLENBQUM7WUFDWCxDQUFDLENBQUMsQ0FBQztRQUNQLENBQUM7S0FBQTtJQUVZLElBQUk7O1FBQ2pCLENBQUM7S0FBQTtDQUNKO0FBRUQsTUFBTSxxQkFBc0IsU0FBUSxlQUFlO0lBQy9DLFlBQVksR0FBVyxFQUFFLE9BQWUsRUFBRSxLQUFhO1FBQ25ELEtBQUssQ0FDRCxvQkFBb0IsRUFDcEIsR0FBRyxPQUFPLG1EQUFtRCxFQUM3RCxHQUFHLEVBQ0gsS0FBSyxDQUNSLENBQUM7SUFDTixDQUFDO0lBRUQsSUFBSSxJQUFJO1FBQ0osT0FBTyxvQkFBb0IsQ0FBQztJQUNoQyxDQUFDO0lBRUQsSUFBSSxTQUFTO1FBQ1QsT0FBTyxHQUFHLENBQUM7SUFDZixDQUFDO0NBQ0oiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgQXBwbGljYXRpb25Db21wb25lbnQgZnJvbSBcIi4uL0FwcGxpY2F0aW9uQ29tcG9uZW50XCI7XG5pbXBvcnQge0V4cHJlc3MsIFJvdXRlcn0gZnJvbSBcImV4cHJlc3NcIjtcbmltcG9ydCBjcnlwdG8gZnJvbSBcImNyeXB0b1wiO1xuaW1wb3J0IHtCYWRSZXF1ZXN0RXJyb3J9IGZyb20gXCIuLi9IdHRwRXJyb3JcIjtcblxuZXhwb3J0IGRlZmF1bHQgY2xhc3MgQ3NyZlByb3RlY3Rpb25Db21wb25lbnQgZXh0ZW5kcyBBcHBsaWNhdGlvbkNvbXBvbmVudDx2b2lkPiB7XG4gICAgcHVibGljIGFzeW5jIHN0YXJ0KGFwcDogRXhwcmVzcywgcm91dGVyOiBSb3V0ZXIpOiBQcm9taXNlPHZvaWQ+IHtcbiAgICAgICAgcm91dGVyLnVzZSgocmVxLCByZXMsIG5leHQpID0+IHtcbiAgICAgICAgICAgIGlmICghcmVxLnNlc3Npb24pIHtcbiAgICAgICAgICAgICAgICB0aHJvdyBuZXcgRXJyb3IoJ1Nlc3Npb24gaXMgdW5hdmFpbGFibGUuJyk7XG4gICAgICAgICAgICB9XG5cbiAgICAgICAgICAgIHJlcy5sb2NhbHMuZ2V0Q1NSRlRva2VuID0gKCkgPT4ge1xuICAgICAgICAgICAgICAgIGlmICh0eXBlb2YgcmVxLnNlc3Npb24hLmNzcmYgIT09ICdzdHJpbmcnKSB7XG4gICAgICAgICAgICAgICAgICAgIHJlcS5zZXNzaW9uIS5jc3JmID0gY3J5cHRvLnJhbmRvbUJ5dGVzKDY0KS50b1N0cmluZygnYmFzZTY0Jyk7XG4gICAgICAgICAgICAgICAgfVxuICAgICAgICAgICAgICAgIHJldHVybiByZXEuc2Vzc2lvbiEuY3NyZjtcbiAgICAgICAgICAgIH07XG5cbiAgICAgICAgICAgIGlmICghWydHRVQnLCAnSEVBRCcsICdPUFRJT05TJ10uZmluZChzID0+IHMgPT09IHJlcS5tZXRob2QpKSB7XG4gICAgICAgICAgICAgICAgaWYgKHJlcS5zZXNzaW9uLmNzcmYgPT09IHVuZGVmaW5lZCkge1xuICAgICAgICAgICAgICAgICAgICB0aHJvdyBuZXcgSW52YWxpZENzcmZUb2tlbkVycm9yKHJlcS5iYXNlVXJsLCBgWW91IHdlcmVuJ3QgYXNzaWduZWQgYW55IENTUkYgdG9rZW4uYCk7XG4gICAgICAgICAgICAgICAgfSBlbHNlIGlmIChyZXEuYm9keS5jc3JmID09PSB1bmRlZmluZWQpIHtcbiAgICAgICAgICAgICAgICAgICAgdGhyb3cgbmV3IEludmFsaWRDc3JmVG9rZW5FcnJvcihyZXEuYmFzZVVybCwgYFlvdSBkaWRuJ3QgcHJvdmlkZSBhbnkgQ1NSRiB0b2tlbi5gKTtcbiAgICAgICAgICAgICAgICB9IGVsc2UgaWYgKHJlcS5zZXNzaW9uLmNzcmYgIT09IHJlcS5ib2R5LmNzcmYpIHtcbiAgICAgICAgICAgICAgICAgICAgdGhyb3cgbmV3IEludmFsaWRDc3JmVG9rZW5FcnJvcihyZXEuYmFzZVVybCwgYFRva2VucyBkb24ndCBtYXRjaC5gKTtcbiAgICAgICAgICAgICAgICB9XG4gICAgICAgICAgICB9XG4gICAgICAgICAgICBuZXh0KCk7XG4gICAgICAgIH0pO1xuICAgIH1cblxuI